SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Oracle, Sun
(Oracle Issues Fix for Oracle Linux) Oracle Java SE Multiple FLaws Let Remote Users Access and Modify Data, Deny Service, and Gain Elevated Privileges
SecurityTracker Alert ID:  1041363
SecurityTracker URL:  http://securitytracker.com/id/1041363
CVE Reference:   CVE-2018-2952   (Links to External Site)
Date:  Jul 24 2018
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6u191, 7u181, 8u172, 10.0.1
Description:   Multiple vulnerabilities were reported in Oracle Java SE. A remote user can gain elevated privileges. A remote user can access and modify data on the target system. A remote user can cause denial of service conditions on the target system.

A remote user can exploit a flaw in the Java SE Java DB component to gain elevated privileges [CVE-2018-2938].

A remote user can exploit a flaw in the Java SE Deployment component to gain elevated privileges [CVE-2018-2964].

A remote user can exploit a flaw in the Java SE JavaFX component to gain elevated privileges [CVE-2018-2941].

A remote user can exploit a flaw in the Java SE Windows DLL component to gain elevated privileges [CVE-2018-2942].

A remote user can exploit a flaw in the Java SE Security component to access data [CVE-2018-2972].

A remote user can exploit a flaw in the Java SE Embedded JSSE component to modify data [CVE-2018-2973].

A remote user can exploit a flaw in the Java SE Embedded Libraries component to partially access data [CVE-2018-2940].

A remote user can exploit a flaw in the Java SE Embedded JRockit Concurrency component to cause partial denial of service conditions [CVE-2018-2952].

Daniel Bleichenbacher of Google, Gregory Draperi, Sidney Markowitz, and Zhong Zhaochen reported some of these vulnerabilities.

Impact:   A remote user can obtain data on the target system.

A remote user can modify data on the target system.

A remote user can cause denial of service conditions.

A remote user can gain elevated privileges on the target system.

Solution:   Oracle has issued a fix for CVE-2018-2952.

The Oracle Linux advisory is available at:

http://linux.oracle.com/errata/ELSA-2018-2242.html

Vendor URL:  linux.oracle.com/errata/ELSA-2018-2242.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Oracle)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Jul 17 2018 Oracle Java SE Multiple FLaws Let Remote Users Access and Modify Data, Deny Service, and Gain Elevated Privileges



 Source Message Contents

Subject:  [El-errata] ELSA-2018-2242 Moderate: Oracle Linux 7 java-1.8.0-openjdk security and bug fix update

Oracle Linux Security Advisory ELSA-2018-2242

http://linux.oracle.com/errata/ELSA-2018-2242.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

x86_64:
java-1.8.0-openjdk-1.8.0.181-3.b13.el7_5.i686.rpm
java-1.8.0-openjdk-1.8.0.181-3.b13.el7_5.x86_64.rpm
java-1.8.0-openjdk-accessibility-1.8.0.181-3.b13.el7_5.i686.rpm
java-1.8.0-openjdk-accessibility-1.8.0.181-3.b13.el7_5.x86_64.rpm
java-1.8.0-openjdk-accessibility-debug-1.8.0.181-3.b13.el7_5.i686.rpm
java-1.8.0-openjdk-accessibility-debug-1.8.0.181-3.b13.el7_5.x86_64.rpm
java-1.8.0-openjdk-debug-1.8.0.181-3.b13.el7_5.i686.rpm
java-1.8.0-openjdk-debug-1.8.0.181-3.b13.el7_5.x86_64.rpm
java-1.8.0-openjdk-demo-1.8.0.181-3.b13.el7_5.i686.rpm
java-1.8.0-openjdk-demo-1.8.0.181-3.b13.el7_5.x86_64.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.181-3.b13.el7_5.i686.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.181-3.b13.el7_5.x86_64.rpm
java-1.8.0-openjdk-devel-1.8.0.181-3.b13.el7_5.i686.rpm
java-1.8.0-openjdk-devel-1.8.0.181-3.b13.el7_5.x86_64.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.181-3.b13.el7_5.i686.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.181-3.b13.el7_5.x86_64.rpm
java-1.8.0-openjdk-headless-1.8.0.181-3.b13.el7_5.i686.rpm
java-1.8.0-openjdk-headless-1.8.0.181-3.b13.el7_5.x86_64.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.181-3.b13.el7_5.i686.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.181-3.b13.el7_5.x86_64.rpm
java-1.8.0-openjdk-javadoc-1.8.0.181-3.b13.el7_5.noarch.rpm
java-1.8.0-openjdk-javadoc-debug-1.8.0.181-3.b13.el7_5.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.181-3.b13.el7_5.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.181-3.b13.el7_5.noarch.rpm
java-1.8.0-openjdk-src-1.8.0.181-3.b13.el7_5.i686.rpm
java-1.8.0-openjdk-src-1.8.0.181-3.b13.el7_5.x86_64.rpm
java-1.8.0-openjdk-src-debug-1.8.0.181-3.b13.el7_5.i686.rpm
java-1.8.0-openjdk-src-debug-1.8.0.181-3.b13.el7_5.x86_64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/java-1.8.0-openjdk-1.8.0.181-3.b13.el7_5.src.rpm



Description of changes:

[1:1.8.0.181-7.b13]
- Update to aarch64-jdk8u181-b13 and aarch64-shenandoah-jdk8u181-b13.
- Remove 8187577/PR3578 now applied upstream.
- Resolves: rhbz#1594249

[1:1.8.0.181-3.b04]
- Fix hook to show hs_err*.log files on failures.
- Resolves: rhbz#1594249

[1:1.8.0.181-3.b04]
- Fix requires/provides filters for internal libs. See RHBZ#1590796
- Resolves: rhbz#1594249

[1:1.8.0.181-3.b04]
- Update bug status and add missing bug IDs
- Resolves: rhbz#1594249

[1:1.8.0.181-2.b04]
- Add "8206406, PR3610, RH1597825: StubCodeDesc constructor publishes 
partially-constructed objects on StubCodeDesc::_list"
- Resolves: rhbz#1594249

[1:1.8.0.181-1.b04]
- Add hook to show hs_err*.log files on failures.
- Resolves: rhbz#1594249

[1:1.8.0.181-1.b04]
- Mark bugs that have been pushed to 8u upstream and are scheduled for a 
release.
- Resolves: rhbz#1594249

[1:1.8.0.181-1.b04]
- Update to aarch64-jdk8u181-b04 and aarch64-shenandoah-jdk8u181-b04.
- Resolves: rhbz#1594249

[1:1.8.0.181-0.b03]
- Update to aarch64-jdk8u181-b03 and aarch64-shenandoah-jdk8u181-b03.
- Remove AArch64 patch for PR3458/RH1540242 as applied upstream.
- Resolves: rhbz#1594249

[1:1.8.0.172-4.b11]
- Read jssecacerts file prior to trying either cacerts file (system or 
local) (PR3575)
- Resolves: rhbz#1593737

[1:1.8.0.172-3.b11]
- Update Shenandoah tarball to fix TCK overflow failure.
- Resolves: rhbz#1588364

[11:1.8.0.172-3.b11]
- jsa files changed to 444 to pass rpm verification
- Fix reg-ex for filtering private libraries' provides/requires.
- Resolves: rhbz#1588364

[1:1.8.0.172-2.b11]
- Remove build flags exemption for aarch64 now the platform is more 
mature and can bootstrap OpenJDK with these flags.
- Remove duplicate -fstack-protector-strong; it is provided by the RHEL 
cflags.
- Resolves: rhbz#1588364

[1:1.8.0.172-1.b11]
- Fix a number of bad bug identifiers (PR3546 should be PR3578, PR3456 
should be PR3546)
- Resolves: rhbz#1588364

[1:1.8.0.172-1.b11]
- Update Shenandoah tarball to include 2018-05-15 merge.
- Split PR3458/RH1540242 fix into AArch64 & Zero sections, so former can 
be skipped on Shenandoah builds.
- Drop PR3573 patch applied upstream.
- Restrict 8187577 fix to non-Shenandoah builds, as it's included in the 
new tarball.
- Resolves: rhbz#1588364

[1:1.8.0.172-1.b11]
- Sync with IcedTea 3.8.0.
- Label architecture-specific fixes with architecture concerned
- x86: S8199936, PR3533: HotSpot generates code with unaligned stack, 
crashes on SSE operations (-mstackrealign workaround)
- PR3539, RH1548475: Pass EXTRA_LDFLAGS to HotSpot build
- 8171000, PR3542, RH1402819: Robot.createScreenCapture() crashes in 
wayland mode
- 8197546, PR3542, RH1402819: Fix for 8171000 breaks Solaris + Linux builds
- 8185723, PR3553: Zero: segfaults on Power PC 32-bit
- 8186461, PR3557: Zero's atomic_copy64() should use SPE instructions on 
linux-powerpcspe
- PR3559: Use ldrexd for atomic reads on ARMv7.
- 8187577, PR3578: JVM crash during gc doing concurrent marking
- 8201509, PR3579: Zero: S390 31bit atomic_copy64 inline assembler is wrong
- 8165489, PR3589: Missing G1 barrier in Unsafe_GetObjectVolatile
- PR3591: Fix for bug 3533 doesn't add -mstackrealign to JDK code
- 8184309, PR3596: Build warnings from GCC 7.1 on Fedora 26
- Resolves: rhbz#1588364

[1:1.8.0.172-0.b11]
- Update to aarch64-jdk8u172-b11 and aarch64-shenandoah-jdk8u172-b11.
- Resolves: rhbz#1588364

[1:1.8.0.171-9.b12]
- Update to aarch64-jdk8u171-b12 and aarch64-shenandoah-jdk8u171-b12.
- Remove patch for 8200556/PR3566 as applied upstream.
- Resolves: rhbz#1588364


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC